CVE-2024-10153 in Boat Booking System
Summary
by MITRE • 10/19/2024
A vulnerability has been found in PHPGurukul Boat Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file book-boat.php?bid=1 of the component Book a Boat Page. The manipulation of the argument nopeople leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2025
The vulnerability CVE-2024-10153 represents a critical sql injection flaw in the PHPGurukul Boat Booking System version 1.0, specifically within the book-boat.php component. This vulnerability exists in the Book a Boat Page functionality and demonstrates a serious security weakness that allows attackers to manipulate database operations through improper input validation. The affected parameter nopeople within the bid=1 context creates an exploitable path where malicious input can be directly incorporated into sql queries without adequate sanitization or parameterization.
The technical nature of this vulnerability stems from inadequate input validation and sanitization practices within the php application code. When users submit booking requests through the boat booking interface, the nopeople parameter is directly incorporated into sql query construction without proper escaping or parameter binding mechanisms. This creates an environment where an attacker can inject malicious sql payloads that bypass authentication mechanisms and manipulate database contents. The vulnerability is classified as remote, meaning attackers can exploit it from external networks without requiring physical access to the system infrastructure.
The operational impact of this vulnerability is severe and multifaceted, potentially allowing attackers to execute arbitrary sql commands on the affected database server. Successful exploitation could enable unauthorized access to sensitive user data including personal information, booking records, and potentially administrative credentials. Attackers might also be able to modify or delete database entries, disrupt service availability, or establish persistent access through database-level backdoors. The public disclosure of this exploit increases the likelihood of widespread exploitation and makes the system particularly vulnerable during the initial disclosure period.
Security mitigations for this vulnerability should focus on implementing proper input validation and parameterized queries throughout the application codebase. The recommended approach involves using prepared statements with parameterized queries to ensure that user input cannot be interpreted as sql commands. Additionally, implementing proper input sanitization, output encoding, and least privilege access controls would significantly reduce the attack surface. Network-level protections such as web application firewalls and intrusion detection systems can provide additional layers of defense. The vulnerability aligns with CWE-89 sql injection weakness and represents a direct violation of secure coding practices outlined in the OWASP Top Ten. According to ATT&CK framework, this vulnerability maps to T1190 exploitation for privilege escalation and T1071.004 application layer protocol network protocol implementation details. Organizations should immediately implement patch management procedures, conduct comprehensive security assessments of the affected system, and monitor for any signs of exploitation attempts in their network logs and database audit trails.